AI, Privilege, and the Courts: Key Ruling on AI-Generated Legal Materials
As artificial intelligence (AI) transitions from experimental models to practical, agent-driven applications in 2026, legal professionals and clients alike must be mindful of the confidentiality, privilege, and discoverability of AI-generated content.
A recent bench ruling on February 12, 2026 in U.S. v. Heppner (S.D.N.Y.) highlights the evolving intersection of AI and legal privilege. In this case, a Texas financial services executive accused of a $150 million fraud used an AI tool to prepare 31 documents related to his legal case, which he then shared with his attorneys. The court held that these AI-generated documents were not protected by attorney-client privilege or the work product doctrine, emphasizing that materials created independently by a defendant using a commercial AI platform, without attorney involvement, do not meet the requirements for privilege. The judge also noted that the AI tool’s terms of service expressly disclaim confidentiality, further undermining any privilege claim.
The government successfully argued that the AI tool was not an attorney, the documents were not created for the purpose of obtaining legal advice, and the information was not confidential. The court agreed, likening the use of an AI tool to seeking input from friends or conducting independent research, neither of which is privileged simply because the results are later shared with counsel. However, the judge cautioned that if prosecutors attempt to use the AI-generated materials at trial, it could create a “witness-advocate conflict” if defense counsel becomes a fact witness.
This decision underscores the importance of understanding the limits of privilege when using AI tools in legal matters, particularly as AI becomes more integrated into professional workflows.
Insights
The Patchwork of Data Privacy Laws: Recent Developments and Implications
On December 30, 2025 (announced January 22, 2026), the French Data Authority CNIL fined an undisclosed company €5 million for transferring loyalty program member data of more than 10 million individuals to a social network for ad targeting without valid user consent.
On January 8, 2026, the California Privacy Protection Agency (CCPA) reached settlements with Rickenbacher Data LLC (Datamasters) for $45,000 and S&P Global, Inc. for $62,000 for failing to register as a data broker. Datamasters is barred from selling any personal data of California residents.
On January 8, 2026, the Kentucky Attorney General’s office announced a lawsuit against Character.AI, a popular online chatbot, for violations of various Kentucky laws, including the Consumer Data Protection Act, for prioritizing profits by allowing children to engage with chatbots with a history of psychological manipulation and encouraging suicide, self-injury, and isolation.
On January 13, 2026, the French Data Authority CNIL fined Free Mobile and Free a total of €42 million for inadequate measures taken to protect their subscriber’s personal data after data was stolen in a cyber attack.
On January 20, the England Information Commissioner’s Office (ICO) announced two fines, one £120,000 fine against Allay Claims, Ltd. and one £105,000 fine against ZMLUK Limited, for sending millions of direct marketing emails and text messages to individuals without obtaining proper consent.
On January 29, 2026, the French Data Authority CNIL fined France Travail €5 million for failing to protect sensitive and high-volume public service datasets containing job seeker data that was stolen in a cyberattack.
On January 24, 2026, ShinyHunters, a ransomware group, used a voice phishing attack targeting single sign-on credentials to bypass multi-factor authentication. The group demanded a ransom, which was not paid. Over two million records related to public and private companies on the Crunchbase platform were stolen and shared on the dark web. Due to the nature of the data exposed, impacted companies should vigilantly defend against targeted phishing.
Ransomware group ShinyHunters used a voice phishing attack to gain access to over 10 million records. The breach has been linked to AppsFlyer, an analytics platform used by Match Group. Exposed data included user IDs, IP addresses, profile data, and internal documents.
On January 22, 2026, the retailer learned that malicious actors gained "unauthorized access to the system supporting our retail website." Personal information, including credit card data, was compromised for over 1,000 customers. The company noted that all impacted users checked out as guests on the platform.
Ransomware group ShinyHunters claimed to breach Panera Bread’s systems, gaining access to over 14 million records. Panera stated that the “data involved is contact information.”
On January 9, 2026, hackers used a social engineering attack against third-party platforms used by Betterment to gain access to systems. Once inside, hackers sent messages to customers purporting to be Betterment. Betterment confirmed that the message was not legitimate and should be disregarded.
In January 2026, data was uploaded to a hacking forum which was allegedly scraped via an Instagram API. The dataset includes 17 million records of public data. The data was associated with 6.2 million Instagram accounts.
.png?upscale=true&width=1200&upscale=true&name=HubSpot%20Banners%20(14).png)
%20(6).png?upscale=true&width=1200&upscale=true&name=Hubspot%20Headers%20(600%20x%20100%20px)%20(6).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(2).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(10).png)
.png?upscale=true&width=240&upscale=true&name=HubSpot%20-%20Digital%20Risk%20Report%20Images%20(9).png)
%20(8).png?upscale=true&width=1200&upscale=true&name=Hubspot%20Headers%20(600%20x%20100%20px)%20(8).png)
